Last month a California appellate court affirmed (for the first time among any state appellate courts to consider the issue) the lower court’s denial of class certification for claims brought under the Confidentiality of Medical Information Act (“CMIA”) in the wake of a data breach. Vigil v. Muir Medical Group IPA, Inc., 2022 Cal. App. LEXIS 860 (Cal. App. Ct. Sep. 26, 2022). Given the general receptiveness of California courts to similar claims, this decision is notable in several respects, outlined in additional detail below.

CMIA protects the confidentiality of patients’ medical information. It prohibits healthcare providers from disclosing a patient’s medical information without authorization and imposes a duty on healthcare providers who create, maintain, or dispose of medical information to do so in a manner that preserves the confidentiality of that information. Notably, Section 56.36(b) provides remedies to patients for a healthcare provider’s “release” of confidential medical information in violation of the CMIA. 

The Defendant in this case is a healthcare provider. In May 2018, Defendant notified certain patients that their personal information may have been involved in a data breach that occurred in December 2017. 

Specifically, as alleged in the Complaint, Defendant discovered in March 2018 that a former employee had downloaded copies of information for over 5,400 patients that included insurance and clinical information before her employment ended.  

Plaintiff subsequently filed a class action complaint asserting causes of action for violation of the Customer Records Act (“CRA”) (§ 1798.80 et seq.), violation of the CMIA (§ 56 et seq.), unlawful and unfair business practices under the Unfair Competition Law (“UCL”) (Bus. & Prof. Code, § 17200 et seq.), and negligence. As is often the case in data breach cases, Plaintiff’s UCL claim was predicated on her statutory and negligence claims.  

Plaintiff’s Complaint also alleged that under the Health Insurance Portability and Accountability Act’s (“HIPAA”) Security Management Process standard (45 C.F.R. § 164.308), Defendant’s employees should not have had access to records concerning approximately 5,500 patients without a “compelling” reason, nor should they have been able to take sensitive patient information with them.  

Plaintiff sought to certify a putative class and demanded compensatory and punitive damages for Defendant’s alleged negligence in failing to secure plaintiffs’ personal information. Plaintiff also demanded statutory damages under the CMIA for each class member.

After the litigation was underway, the trial court eventually issued an order denying class certification. The court found that the “crux” of Plaintiff’s “rest[ed] on her claim for breach of [CMIA].” However, the trial court found that claim was fundamentally deficient. Additionally, the trial court found that the predominance of common questions requirement was not met because under the CMIA, “individualized inquiries would be required to prove Defendant’s liability and damages to each of the nearly 5,500 proposed class members.” The trial court ruled that “[l]iability for each class member is predicated on whether his or her information was actually viewed, which on these facts is not capable of resolution in the aggregate.”

On appeal, the Court sided with Defendant.  

First, in regards to Plaintiff’s CMIA claim, the Court applied relevant California precedent; the Court held that “a breach of confidentiality under [CMIA] sections 56.101, subdivision (a) and 56.36, subdivision (b) requires more than a showing that the health care provider negligently maintained or stored confidential information and lost possession of the information because of its negligence.” As such, Plaintiff had no viable CMIA claim.

Second, and in any event, the Court additionally held that the “trial court correctly determined that a breach of confidentiality under [CMIA] sections 56.36, subdivision (b), and 56.101, subdivision (a), requires a showing that an unauthorized party viewed the confidential information at issue.” 

Here, however, “each class member would have to show that his or her medical information was viewed by an unauthorized party to recover under the CMIA.” This was plainly a “private issue” in the view of the Court, not appropriate for class certification.

Accordingly, in a case of first impression for any California state court, the Court held that:

The trial court did not abuse its discretion in concluding individual issues would predominate over common issues. The record demonstrates that [the former employee] may have viewed some of the information on the patient spreadsheet, but [Plaintiff] presented no evidence indicating whose information was viewed. There is also no evidence suggesting that other unauthorized parties viewed the information in the patient spreadsheet or that it was posted or disclosed in a public forum . . . [t]herefore, most, if not all, of the almost 5,500 potential class members would be unable to maintain their CMIA claims against [Defendant] unless they could establish that an unauthorized party viewed their confidential medical information and that [Defendant’s] ’s negligence caused this breach of confidentiality.

This decision is notable as this was the first ruling from any California appellate court addressing class certification issues in the context of claims under CMIA and will impact other cases going forward.

For more on this and other developments impacting future filed data breach class actions, stay tuned. CPW will be there to keep you in the loop.